Promises, Promises: Facebook’s History with Privacy

“We’ve made a bunch of mistakes.” “Everyone needs complete control over who they share with at all times.” “Not one day goes by when I don’t think about what it means for us to be the stewards of this community and their trust.”

Lawmakers in many countries may be focused on Cambridge Analytica’s alleged improper use of Facebook data, but the social network’s privacy problems back more than a decade. Here are some of the company’s most notable missteps and promises around privacy.

2007

The social media darling unveils its Facebook Platform to great fanfare. Zuckerberg says app developers can now access the web of connections between users and their friends, a set of connections Facebook calls the “social graph.”

“The social graph is changing the way the world works,” he says.

That November, Facebook launches Beacon, which shares what users are doing on other websites with their Facebook friends. Many users find it intrusive and difficult to disable. Massachusetts resident Sean Lane buys his wife a diamond ring for Christmas on Overstock.com, but Facebook ruins the surprise , an incident leading to a class-action lawsuit.

In December, Zuckerberg apologizes and enables users to shut off Beacon. “I know we can do better,” he says .

2008

Facebook launches Facebook Connect , aiming to correct Beacon’s mistakes by requiring users to take deliberate action before they share activity from other websites when logged in using Facebook. More than 100 websites use the tool at launch, including CNN and TripAdvisor.

2009

Facebook announces “privacy improvements” after a yearlong review by Canada’s Office of the Privacy Commissioner found that it geared its default privacy settings toward openness, failed to inform users their data would be used to serve ads, and leaked data to third party developers, including when their friends used apps. Facebook vows to encourage “users to review their privacy settings” but does not agree to all the recommendations.

Beacon is officially shut down, settling Lane’s class action lawsuit.

The American Civil Liberties Union warns people that Facebook’s default settings mean that when a friend uses an app or takes a quiz, the quiz- or app-maker can peer into your profile, even if you’ve made it private.

2010

App-makers exhibit a sophisticated grasp of data they can scoop from Facebook’s social graph.

The Wall Street Journal reports that many popular apps are transmitting personalized Facebook data to dozens of advertising and internet companies, among them, Zynga’s breakout game FarmVille. Facebook responds by shutting down some apps.

Prior to the Journal report, Facebook says it has redesigned its privacy tools, giving its 400 million users “the power to control exactly who can see the information and content they share.”

2011

The Federal Trade Commission reaches a consent decree with Facebook after an investigation of its broken privacy promises to consumers.

The FTC alleges, among other things, that:

Facebook made its users’ friend lists public in December 2009, even if they had been set to private, without telling them.

Even if users limited data sharing to “friends only,” data was actually shared with third party apps that friends used.

Facebook failed to verify the security of apps it put on a “verified apps” list.

Facebook promised not to share personal information with advertisers, but did.

Facebook promises to submit to a privacy audit every two years for the next 20 years, and Zuckerberg owns up to mistakes.

2012

Facebook introduces new methods to help advertisers reach people in ways “that protect your privacy,” including an encryption tool called Custom Audiences that lets marketers match the email addresses of sales leads to the addresses that Facebook users used to set up their accounts.

Facebook also rolls out new privacy tools aimed at simplifying its convoluted and confusing privacy controls. Among other things, it narrows the scope of app permissions so they don’t suck in as much user data automatically.

2013

Facebook shares two-year-old anonymized data on billions of friendships between countries with Cambridge researcher Aleksandr Kogan and co-authors a research paper with him (published in 2015).

Kogan creates a quiz app, installed by around 300,000 people , giving him access to tens of millions of their friends’ data.

2014

Facebook says it dramatically limits the access apps have to friend data, preventing the type of data scoop Kogan and others were capable of. It also requires developers to get approval from Facebook before accessing sensitive data.

2015

Facebook says it learns from Guardian journalists that Kogan has shared data with Cambridge Analytica in violation of its policies. It bans the app and asks Kogan and Cambridge Analytica to certify they had deleted the data.

It rolls out “Security Checkup,” a new tool aimed at simplifying its convoluted and confusing privacy controls.

Facebook says it learns from The Guardian and other media outlets that Cambridge Analytica did not delete improperly obtained Facebook data and suspends the company, Kogan, and whistleblower Christopher Wylie from its service.

Zuckerberg tells CNN that “I’m really sorry that this happened.” He promises to audit app makers that gathered massive amounts of data prior to 2014 and to notify affected users. Amid calls for investigations in the U.S. and U.K., the FTC begins investigating whether Facebook broke its 2011 consent decree.

“Our responsibility now is to make sure that this doesn’t happen again,” Zuckerberg says.

Facebook redesigns its privacy settings menu on mobile devices and says in a blog post, “It’s time to make our privacy tools easier to find.” …